UCLA Hacked, May Affect 4.5 Million

UCLA Health has suffered a cyber-attack that it presently believes could affect up to 4.5 million individuals.

The delivery system serving the Los Angeles region will offer those affected one year of free identity theft and identity restoration services from ID Experts. The patient notification process has started and letters should be mailed within weeks, according to information on the UCLA Health web site.

UCLA Health detected suspicious network activity in October 2014 and investigated with assistance from the FBI. At that time, it did not appear that the attackers had gained access to parts of the network that contain personal and medical information, according to a statement.

As part of that ongoing investigation, on May 5, 2015, UCLA Health determined that the attackers had accessed parts of the UCLA Health network that contain personal information such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information. Based on the continuing investigation, it appears that the attackers may have had access to these parts of the network as early as September 2014. We continue to investigate this matter.

However, UCLA in the statement noted that there is no evidence yet that attackers actually accessed or acquired patient information.

The organization is one of more than two dozen covered entities under the HIPAA privacy and security rules to pay a major fine to the HHS Office for Civil Rights following a breach.

In 2011, UCLA Health paid an $865,500 fine that accompanied a resolution agreement, and agreed to implement a three-year corrective action plan after celebrities complained that their privacy had been violated and an investigation found unauthorized employees repeatedly snooped in patient files.